[Chicken-announce] [SECURITY] Buffer overrun in some uses of read-string

From:

Peter Bex

Subject:

[Chicken-announce] [SECURITY] Buffer overrun in some uses of read-string! procedure from "extras"

Date:

Thu, 26 Sep 2013 21:02:16 +0200

User-agent:

Mutt/1.4.2.3i

Hello CHICKEN users,
A problem was found with the read-string! procedure from the "extras"
unit, when used in a very particular way. The manual says:
[procedure] (read-string! NUM STRING [PORT [START]])
Read or write NUM characters from/to PORT [...]
If NUM is #f or not given, then all data up to the end-of-file
is read[...].
If no more input is available, read-string returns the
empty string. read-string! reads destructively into the given
STRING argument, but never more characters than would fit into
STRING.
[http://wiki.call-cc.org/man/4/Unit%20extras#read-string]
It turned out that there was a missing check for the situation when
NUM was #f and the input size to be read from the port exceeded the
given buffer's (STRING's) size. This will result in a buffer overrun,
which may lead to general corruption of the stack or heap, and
can potentially be used to execute arbitrary code.
The bug was fixed by changeset cd1b9775005ebe220ba11265dbf5396142e65f26
[http://code.call-cc.org/cgi-bin/gitweb.cgi?p=chicken-core.git;a=commit;h=cd1b9775005ebe220ba11265dbf5396142e65f26]
All currently released CHICKENs are vulnerable to this bug: all stable
versions up until 4.8.0.4, and all development snapshots up until 4.8.2.
CHICKEN 4.9.0 and 4.8.0.5 will include the fix, as will all development
snapshots starting with 4.8.3.
There is a simple workaround to be used in code that uses read-string!:
simply convert all (read-string! #f buf ...) invocations to
(read-string! (string-length buf) buf ...) or, if possible, use the
non-destructive read-string procedure from the same unit.
A quick scan of the egg repository pointed out that so far only
http-client seemed to be using read-string! in this manner. This
has been fixed in http-client 0.6.1, so all users are advised to
at least upgrade this egg.
Kind regards,
The CHICKEN Team